The disclosed computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects may include (1) identifying a potentially malicious file located on a computing system, (2) determining at least one potential side-effect of the potentially malicious file, (3) generating, based at least in part on the potential side-effect of the potentially malicious file, a repair script that facilitates remediation of the potential side-effect, and then (4) remedying the potential side-effect by directing the computing system to execute the repair script. Various other methods, systems, and computer-readable media are also disclosed.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: identifying a potentially malicious file located on a computing system; determining at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file; generating, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by: identifying all known variants of a family of malware that includes the potentially malicious file; performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; and remedying the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to: compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect; determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold; in response to determining that the heuristic distance is below the certain threshold: classify the registry key or the other file as a side-effect of the potentially malicious file; and remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file.
A method for automatically creating malware repair scripts involves first identifying a suspicious file on a computer. Next, the system determines what the malware *might* do, focusing on registry keys or files it creates or changes. To generate the fix, the system considers all known variants of the malware family. It runs these variants in a sandbox (controlled software automation) or analyzes data from real-world infected machines (field telemetry). Based on this analysis, variations in side effects are identified. The repair script is executed on the infected computer which computes a "heuristic distance" (amount of difference) between expected side-effects and the actually observed changes. If this difference is small enough (below a threshold), the suspicious registry key or file is classified as a malware side effect and remediated.
2. The method of claim 1 , wherein the potential side-effect of the potentially malicious file comprises at least one of: a modification to a file name caused by the potentially malicious file; a modification to the registry key caused by the potentially malicious file; a creation of the file caused by the potentially malicious file; and a creation of the registry key caused by the potentially malicious file.
The method described in Claim 1, where the potential side-effect of the malware includes changes to a file name, modifications to a registry key, creation of a new file, or creation of a new registry key. In other words, the system detects side-effects such as a new file suddenly appearing or an existing registry key being changed after malware execution. The repair script specifically targets these changes.
3. The method of claim 1 , wherein determining the potential side-effect of the potentially malicious file comprises: executing the potentially malicious file in a controlled software automation environment; upon executing the potentially malicious file, detecting evidence of the potential side-effect; and determining, based at least in part on the evidence of the potential side-effect, that the potentially malicious file causes the potential side-effect.
The method described in Claim 1, where identifying potential malware side effects involves running the suspicious file in a controlled, automated testing environment (sandbox). By observing the system's state after execution, the system detects any new activity. If the file execution results in side effects, it's determined that the file is the cause. This helps automatically identify side effects without relying on pre-existing knowledge.
4. The method of claim 1 , wherein determining the potential side-effect of the potentially malicious file comprises: collecting behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; and identifying, by analyzing the behavioral information collected from the group of computing devices, the potential side-effect of the potentially malicious file.
The method described in Claim 1, where identifying potential malware side effects involves collecting data from multiple computers that have run the suspicious file. By analyzing the combined behavior across these machines, the system identifies common side effects caused by the file. This approach uses real-world data to determine the file's impact, rather than relying solely on isolated sandbox testing.
5. The method of claim 1 , wherein: determining the potential side-effect of the potentially malicious file comprises determining at least one potential side-effect of at least one variant of the family of malware that includes the potentially malicious file; and generating the repair script comprises generating, based at least in part on the potential side-effect of the variant, a repair script that facilitates remediation of the potential side-effect of the variant.
The method described in Claim 1, where instead of focusing solely on the original suspicious file, the system also examines the potential side effects of related malware variants. The repair script is then generated to address these variant-specific side effects. By addressing multiple related threats, the repair script is made more comprehensive.
6. The method of claim 5 , wherein the variant of the family of malware comprises at least one of: a variant whose file name differs from a file name of the potentially malicious file; and a variant whose attribute differs from a corresponding attribute of the potentially malicious file.
The method described in Claim 5, where the malware variant is identified by differences in its filename or file attributes compared to the original suspicious file. Even if the file has been altered slightly, the system still recognizes it as belonging to the same malware family and addresses the new side-effects.
7. The method of claim 1 , wherein generating the repair script that facilitates remediation of the potential side-effect comprises generating a generic repair script that: identifies the registry key or the other file as potentially being a side-effect of the potentially malicious file; and facilitates remediation of the registry key or the other file identified as potentially being a side-effect of the potentially malicious file.
The method described in Claim 1, where generating the repair script produces a generic script that identifies registry keys or files as *potentially* being malware side effects. The script then facilitates remediation of these potentially malicious items. This means the script is designed to flag suspicious items even if they are not definitively confirmed as malicious, allowing for a broader cleanup.
8. The method of claim 1 , wherein performing a controlled software automation analysis on all of the known variants of the family of malware comprises: executing at least one variant of the potentially malicious file in a controlled software automation environment; upon executing the variant of the potentially malicious file, detecting evidence suggesting that the registry key or the other file is a side-effect of the potentially malicious file; and computing the certain threshold based at least in part on the evidence suggesting that the registry key or the other file is a side-effect of the potentially malicious file.
The method described in Claim 1, where the controlled software automation analysis involves executing malware variants in a sandbox. The system monitors for changes, specifically looking for the registry key or file that is potentially a side-effect. The "heuristic distance threshold" used in remediation is calculated based on the observed changes in the sandbox. This allows the system to dynamically adjust the threshold based on observed malware behavior.
9. The method of claim 1 , wherein performing a field telemetry analysis on all of the known variants of the family of malware comprises: collecting behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; identifying, by analyzing the behavioral information collected from the group of computing devices, the registry key or the other file as potentially being a side-effect of the potentially malicious file; and computing the certain threshold based at least in part on the registry key or the other file potentially being a side-effect of the potentially malicious file.
The method described in Claim 1, where the field telemetry analysis involves collecting data about the malware from computers that have executed it. This data is analyzed to identify the registry key or file that is potentially a side-effect of the malware. The "heuristic distance threshold" used in remediation is computed based on this real-world data. This allows the system to adjust the threshold based on actual malware impact.
10. The method of claim 1 , wherein generating the repair script comprises generating the repair script based at least in part on the variations in potential side-effects that result from executing or removing the variants from computing systems.
The method described in Claim 1, where the generated repair script is designed to specifically address the variations in potential side effects caused by different malware variants. If one variant creates a specific registry entry while another modifies an existing one, the repair script handles both scenarios.
11. A system for generating repair scripts that facilitate remediation of malware side-effects, the system comprising: at least one memory; an identification module, stored in the memory, that identifies a potentially malicious file located on a computing system; a determination module, stored in the memory, that determines at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file; a generation module, stored in the memory, that generates, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by: identifying all known variants of a family of malware that includes the potentially malicious file; performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; a remediation module, stored in the memory, that remedies the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to: compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect; determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold; in response to determining that the heuristic distance is below the certain threshold: classify the registry key or the other file as a side-effect of the potentially malicious file; and remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file; and at least one physical processor that executes the identification module, the determination module, the generation module, and the remediation module.
A system for automatically creating malware repair scripts has modules for identifying a suspicious file, determining its *potential* side effects (registry keys or files created/changed), generating a repair script, and automatically fixing any side-effects. The repair script generation considers all known variants of the malware family. It runs these variants in a sandbox (controlled software automation) or analyzes data from real-world infected machines (field telemetry). Based on this analysis, variations in side effects are identified. The repair script is executed on the infected computer which computes a "heuristic distance" (amount of difference) between expected side-effects and the actually observed changes. If this difference is small enough (below a threshold), the suspicious registry key or file is classified as a malware side effect and remediated. These modules are stored in memory and executed by a processor.
12. The system of claim 11 , wherein the potential side-effect of the potentially malicious file comprises at least one of: a modification to a file name caused by the potentially malicious file; a modification to the registry key caused by the potentially malicious file; a creation of the file caused by the potentially malicious file; and a creation of the registry key caused by the potentially malicious file.
The system described in Claim 11, where the potential side-effect of the malware includes changes to a file name, modifications to a registry key, creation of a new file, or creation of a new registry key. In other words, the system detects side-effects such as a new file suddenly appearing or an existing registry key being changed after malware execution. The repair script specifically targets these changes.
13. The system of claim 11 , wherein the determination module determines the potential side-effect of the potentially malicious file by: executing the potentially malicious file in a controlled software automation environment; upon executing the potentially malicious file, detecting evidence of the potential side-effect; and determining, based at least in part on the evidence of the potential side-effect, that the potentially malicious file causes the potential side-effect.
The system described in Claim 11, where identifying potential malware side effects involves running the suspicious file in a controlled, automated testing environment (sandbox). By observing the system's state after execution, the system detects any new activity. If the file execution results in side effects, it's determined that the file is the cause. This helps automatically identify side effects without relying on pre-existing knowledge.
14. The system of claim 11 , wherein the determination module determines the potential side-effect of the potentially malicious file by: collecting behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; and identifying, by analyzing the behavioral information collected from the group of computing devices, the potential side-effect of the potentially malicious file.
The system described in Claim 11, where identifying potential malware side effects involves collecting data from multiple computers that have run the suspicious file. By analyzing the combined behavior across these machines, the system identifies common side effects caused by the file. This approach uses real-world data to determine the file's impact, rather than relying solely on isolated sandbox testing.
15. The system of claim 11 , wherein: the determination module determines at least one potential side-effect of at least one variant of the family of malware that includes the potentially malicious file; and the generation module generates, based at least in part on the potential side-effect of the variant, a repair script that facilitates remediation of the potential side-effect of the variant.
The system described in Claim 11, where instead of focusing solely on the original suspicious file, the system also examines the potential side effects of related malware variants. The repair script is then generated to address these variant-specific side effects. By addressing multiple related threats, the repair script is made more comprehensive.
16. The system of claim 15 , wherein the variant of the family of malware comprises at least one of: a variant whose file name differs from a file name of the potentially malicious file; and a variant whose attribute differs from a corresponding attribute of the potentially malicious file.
The system described in Claim 15, where the malware variant is identified by differences in its filename or file attributes compared to the original suspicious file. Even if the file has been altered slightly, the system still recognizes it as belonging to the same malware family and addresses the new side-effects.
17. The system of claim 11 , wherein the generation module generates a generic repair script that: identifies the registry key or the other file as potentially being a side-effect of the potentially malicious file; and facilitates remediation of the registry key or the other file identified as potentially being a side-effect of the potentially malicious file.
The system described in Claim 11, where generating the repair script produces a generic script that identifies registry keys or files as *potentially* being malware side effects. The script then facilitates remediation of these potentially malicious items. This means the script is designed to flag suspicious items even if they are not definitively confirmed as malicious, allowing for a broader cleanup.
18. The system of claim 11 , wherein the generation module generates the repair script based at least in part on the variations in potential side-effects that result from executing or removing the variants from computing systems.
The system described in Claim 11, where the generated repair script is designed to specifically address the variations in potential side effects caused by different malware variants. If one variant creates a specific registry entry while another modifies an existing one, the repair script handles both scenarios.
19. The system of claim 11 , wherein: the determination module: collects behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; and identifies, by analyzing the behavioral information collected from the group of computing devices, the registry key or the other file as potentially being a side-effect of the potentially malicious file; and the generation module may compute the certain threshold based at least in part on the registry key or the other file potentially being a side-effect of the potentially malicious file.
The system described in Claim 11, where identifying potential malware side effects involves collecting data from multiple computers that have run the suspicious file and the "heuristic distance threshold" used in remediation is computed based on this real-world data. This allows the system to adjust the threshold based on actual malware impact.
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: identify a potentially malicious file located on a computing system; determine at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file; generate, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by: identifying all known variants of a family of malware that includes the potentially malicious file; performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; and remedy the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to: compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect; determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold; in response to determining that the heuristic distance is below the certain threshold: classify the registry key or the other file as a side-effect of the potentially malicious file; and remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file.
A computer-readable storage medium contains instructions that, when executed, cause a computer to create malware repair scripts automatically. The process involves identifying a suspicious file, determining its *potential* side effects (registry keys or files created/changed), generating a repair script, and automatically fixing any side-effects. The repair script generation considers all known variants of the malware family. It runs these variants in a sandbox (controlled software automation) or analyzes data from real-world infected machines (field telemetry). Based on this analysis, variations in side effects are identified. The repair script is executed on the infected computer which computes a "heuristic distance" (amount of difference) between expected side-effects and the actually observed changes. If this difference is small enough (below a threshold), the suspicious registry key or file is classified as a malware side effect and remediated.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 17, 2014
May 23, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.